ARM64 container scanning in GitLab CI/CD
trivy directly and specify image platform with --platform. triy is a container scanning tool by Acqua Security.
The GitLab CI/CD container scanning template uses trivy under the hood.
However, if we run a container scan on an image that was not built for the default architecture linux/amd64, such as linux/arm64, trivy will fail with an error similar to the following:
INFO Vulnerability scanning is enabled
FATAL image scan error: scan error: unable to initialize a scanner: unable to initialize an image scanner: 4 errors occurred:
* docker error: unable to inspect the image (**********): permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "[(**********](**********)": dial unix /var/run/docker.sock: connect: permission denied
* containerd error: containerd socket not found: /run/containerd/containerd.sock
* podman error: unable to initialize Podman client: no podman socket found: stat podman/podman.sock: no such file or directory
* remote error: no child with platform linux/amd64 in index **********
linux/amd64 was found. (Since we only have a child for platform linux/arm64, this error makes complete sense.) Why does this happen? Well, simply, trivy by default assumes the platform linux/amd64. If we want a scan for another platform, we have to specify this using the --platform option to trivy image.
If we use GitLab container scanning to run trivy on an image, there currently seems to be no way to pass the platform option. Consequently, the container scanning template cannot—currently—be used to scan images for platforms other than linux/amd64.
How missing image digests while using docker buildx build may be fixed
The provenance false option fixes empty metadata/no digest issue in GitLab.
docker buildx build --provenance false ...